Bangeter 04-malware_identification_v50.pdf
Bangeter 04-malware_identification_v50.pdf
Bangeter 04-malware_identification_v50.pdf
18
0.0 (0)
Kartei Details
Karten | 18 |
---|---|
Sprache | English |
Kategorie | Technik |
Stufe | Universität |
Erstellt / Aktualisiert | 19.06.2019 / 01.07.2021 |
Lizenzierung | Keine Angabe |
Weblink |
https://card2brain.ch/box/20190619_bangeter_04malwareidentificationv50_pdf
|
Einbinden |
<iframe src="https://card2brain.ch/box/20190619_bangeter_04malwareidentificationv50_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Why is malware identification important?
- Malware identification is important for incident reponse in a company or in law enforcement context.
- In cyber crime case: reinstall machine and you're done.
- Espionage type of attack possible affects substantial parts of a network and requiers different / more complex reactions.
How can malware identification help us in our analysis of the malware?
- Mostly the same attack has been used befor.
- Most malware families have been analyzed befor -> addition information
- Through identifying malware we emidiatly get access to all work done previously
- analysis of new malware can take days to months.
What is an IOC (Indicator of Compromise)?
An indicator of compromise (IOC) is an a priori known characteristic artefact of attacks, malware samples / families.
IOCs can be used for detection and identification purposes.
Name some host based IOCs (Indicator of Compromise)
Host based IOCs
- Hashes of malware executables, modules, dropped files etc...
- Filenames of dropped files or email attachements (infection vector)
- Registry entries (e.g. used for persistence)
- Mutexes (program object that is created so that multiple program thread can take turns sharing the same resource, such as access to a file.)
- Process names
- Anti-virus or Yara signatures
- Strings